The HIPAA Privacy Rule

The HIPAA Privacy Rule


“Business Associates” of “Covered Entites”
Privacy Contract Form


Part A: What is HIPAA?

  • Generally. HIPAA stands for the the “Health Insurance Portability and Accountability Act of 1996”. In this article, we shall confine ourselves to addressing the privacy provisions of HIPAA (hereinafter “the HIPAA Privacy Rule”). It applies to health information created or maintained by health care providers who engage in certain electronic transactions, health plans, and health care clearinghouses (known as “Covered Entities” in HIPAA parlance). Although the HIPAA statute passed by Congress only delegated authority to HHS to regulate privacy information in the hands of health care providers, health plans, health care clearinghouses, it became obvious to HHS, in drafting its regulations, that no effective privacy rules could be constructed unless independent contractors of Covered Entities also were subject to the same privacy standards as Covered Entities themselves. Thus, HHS, in its regulations, extended the reach of the HIPAA Privacy Rule beyond that which was delegated to it by Congress through creation of a requirement upon Covered Entities to get contractual assurances from their independent contractors who fit within the definition of “Business Associates” that they shall adhere and be bound by the same HIPAA privacy standards as Covered Entities. Covered Entities have until April 14, 2003 to contractually bind their Business Associates to comply with the HIPAA privacy standards.
  • What is the HIPAA Privacy Rule? “This rule includes standards to protect the privacy of individually identifiable health information. The rules, which apply to health plans, health care clearinghouses, and certain health care providers, present standards with respect to the rights of individuals who are the subjects of this information, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information.” Premable to Final Regulations issed by HHS pursuant to HIPAA, 45 CFR Parts 160 through 164; Federal Register: December 28, 2000 (Volume 65, Number 250).
  • What information is covered? “All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally, are covered by the final rule.” “Protecting The Privacy Of Patients’ Health Information”, HHS Fact Sheet (May 9, 2001).
  • Must health care providers receive consent from patients before disclosing Protected Health Information? Under the final modifications to the HIPAA Regulations issued by HHS in 2000, health care providers who directly treat patients are no longer required to obtain patient consent prior to the use or disclosure of protected health information (“PHI”) for purposes of treatment, payment, and health care operations. However, please be aware that HIPAA does not preempt state law in this area and, thus, the states are free to require patient consent. Also, use or disclosure of protected health information for purposes other than treatment, payment, and health care operations does require patient consent the HIPAA Privacy Rule.

Part B: Who is a “Covered Entity”?

  • Who is a “Covered Entity” under HIPAA? The following are “Covered Entities” under HIPAA: Health plans, health care clearinghouses, and “health care providers who transmit any health information in electronic form in connection with a transaction covered by this subchapter” (i.e., generally meaning the transmission of any health information in electronic form but see below for complete definition) are “Covered Entities” under HIPAA. Please note that health care providers who do not submit electronic transactions of health care information may still become Covered Entites under this rule when another entity, such as a billing service or a hospital, transmits a standard electronic transactions on their behalf. Please also note that health plans and health care clearinghouses do not need to enter into an “electronic transaction” involving “Protected Health Information” (“PHI”) before they can be defined as a “covered entity”. Only a health care provider must engage in an “electronic transaction” involving PHI before it becomes a “covered entity”. A “transaction” is defined in the regulations to HIPAA as follows:
    “The transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:

    (1) Health care claims or equivalent encounter information.
    (2) Health care payment and remittance advice.
    (3) Coordination of benefits.
    (4) Health care claim status.
    (5) Enrollment and disenrollment in a health plan.
    (6) Eligibility for a health plan.
    (7) Health plan premium payments.
    (8) Referral certification and authorization.
    (9) First report of injury.
    (10) Health claims attachments.
    (11) Other transactions that the Secretary may prescribe by regulation.”

    See Privacy Regulation, 45 C.F.R. § 160.103 Definitions.

    Therefore, if a medical practice engages in any electronic transaction described above (even only one transaction), then the Privacy Rule of the HIPAA regulations applies to this medical practice. This is the case even if the medical practice uses another entity, such as a billing service or hospital, to transmit an electronic transaction described above. Even though coverage under HIPAA is triggered by use of electronic transactions, the HIPAA Privacy Rule applies to individually identifiable health information in any form, including oral, written and electronic communications.

For further information about who is a “covered entity”, see:

hipaa privacy rule, business associate contract
Online form: HIPAA Privacy Agreement for Business Associates

Part C: Who is a “Business Associate”?

  • A Business Associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of PHI. A Business Associate is not a member of the health care provider, health plan, or other covered entity’s workforce. A health care provider, health plan, or other covered entity can also be a business associate to another covered entity. The rule includes exceptions. The business associate requirements do not apply to covered entities who disclose PHI to providers for treatment purposes – for example, information exchanges between a hospital and physicians with admitting privileges at the hospital.
  • Q: Is it reasonable for covered entities to be held liable for the privacy violations of business associates?
    “A: A health care provider, health plan, or other covered entity is not liable for privacy violations of a business associate. Covered entities are not required to actively monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract. Moreover, a business associate’s violation of the terms of the contract does not, in and of itself, constitute a violation of the rule by the covered entity. The contract must obligate the business associate to advise the covered entity when violations have occurred. If the covered entity becomes aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate’s obligations under its contract, the covered entity must take “reasonable steps” to cure the breach or to end the violation. Reasonable steps will vary with the circumstances and nature of the business relationship. If such steps are not successful, the covered entity must terminate the contract if feasible. The rule also provides for circumstances in which termination is not feasible, for example, where there are no other viable business alternatives for the covered entity. In such circumstances where termination is not feasible, the covered entity must report the problem to the Department. Only if the covered entity fails to take the kinds of steps described above would it be considered to be out of compliance with the requirements of the rule.”OCR HIPAA Privacy TA 164.502E.001, Business Associates, 45 CFR § 160.103, 164.502(e), 164.514(e)

Part D: Required elements of Business Associate Contract (Excerpt of law.)

  • “A contract between the covered entity and a business associate must:
    (i) Establish the permitted and required uses and disclosures of such information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that:

    (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and
    (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.”

    HIPAA Regs., 45 C.F.R. § 164.504(e)(2).

Part D: The HITECH Act of 2009 (amendment of HIPAA)

The following is a summary of the majory changes to HIPAA brought about by the “Health Information Technology for Economic and Clinical Health Act” (“HITECH Act”).

  • The HITECH Act now obligates business associates to comply with HIPAA’s Security Rule for administrative, physical, and technical safeguard of PHI.
  • Upon discovery of a breach of unsecured PHI under its control, a business associate is required to notify the covered entity, which then must notify the impacted individual.
  • Business associates can incur civil and criminal penalties for violating the terms of business associate agreements.
  • An individual now has the right to receive an accounting of PHI disclosures made by covered entities and business associates
  • HHS is now required to perform periodic audits to ensure that covered entities and business associates are complying with HIPAA.

Additional links:


MedLawPlus © 2014